Today's online environment provides users with access to a wide variety of network-based content, such as websites. Some websites, however, may include computer code that can be harmful to a user's computing device. One example of such code is known as malware. Malware includes computer code (e.g., a software application, a utility, or other code) that can interfere with a computer's normal functioning. Typically, a computer is inadvertently exposed to malware when a user accesses content associated with the malware. For example, a user can open an email attachment that includes the malware or can navigate to a website that can cause the malware to be loaded onto the user's computing device. While some existing techniques attempt to detect and prevent malware infection of a computing device, some forms of malware continue to be difficult to detect.
One specific example of malware that can be difficult to detect is script-based malware. Script-based malware includes script code that can infect a computing device and cause the computing device to malfunction. Examples of script code that can be used to generate script-based malware include JavaScript, Visual Basic Script (VBScript), and so on. In an example scenario, a user navigates to a website that includes script-based malware. The script code of the script-based malware is then loaded onto the user's computing device, e.g., as part of the website code. A script engine on the computing device then parses the script code and the parsed script code is executed on the computing device. Execution of the parsed script code can cause a variety of undesirable activities on the computing device, such as the slowing and/or malfunctioning of applications running on the computing device.
One particular type of script-based malware attack is known as a heap spray. A typical heap spray includes three different components: a shellcode, a spray, and a vulnerability. The shellcode includes executable machine code that is placed on a heap (data structure) for a particular application (e.g., a web browser) when the malware is executed. The spray causes multiple copies of the shellcode to be allocated into the heap for the particular application, which causes the undesirable functioning associated with the malware. Finally, the vulnerability refers to the particular aspect of the application that is being exploited to allow the malware to be executed on the computing device, such as a memory safety vulnerability, an input validation vulnerability, and so on. While some techniques exist for detecting and/or preventing a heap spray attack, these techniques typically involve significant processing overhead such that it is not feasible to implement them in an on-the-fly scenario, such as part of a web browser security suite.